Hi Angus, On Mon, 20 Oct 2014 18:38 +0100 (BST), you wrote: > > There has been recent press about an SSL server exploit called Poodle, which > only effect SSLv3, not the more recent TLS 1.x protocols. > > Disabling SSLv3 in servers can be done by setting: > > SslContext.SslVersionMethod := sslV23_SERVER; > SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3, > sslOpt_CIPHER_SERVER_PREFERENCE]; > > v2 was obsolete long ago. > > You should also change the cipher suite, Mozilla now suggests three levels of > ciphers, which are all now added to the latest overnight ICS v8 SVN. > > The minimum browsers these ciphers support are: > > sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, > Android 4.4, Java 8 > > sslCiphersMozillaSrvInter - Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, > Windows XP IE8, Android 2.3, Java 7 > > sslCiphersMozillaSrvBack - Windows XP IE6, Java 6 > > so since IE6 is long obsolete I suggest: > > SslContext.SslCipherList := sslCiphersMozillaSrvInter; > > > Once you have your ICS SSL web server updated and installed on a public > server, > there is an excellent SSL testing web site at: > > https://www.ssllabs.com/ssltest/index.html > > It takes a few minutes to test all the ciphers, but generates a detailed > security report giving your web site a letter rating. Making the changes > above > raised my ICS SSL site from C to A-.
I see you speak of fixing web servers in regard to the poodle exploit. Is there any problem with clients? I see mine are set to sslv23. I believe that was the default. Should I change this and if so, to what? Also, I was wondering if it's possible to get a snapshot of your openssl 1.0.1i or 1.0.1j? Thanks so much, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
